From 4424b3c92a4f07ddbcd4cc738a7a6e43c4db7e2e Mon Sep 17 00:00:00 2001 From: mom040267 Date: Sat, 11 Apr 2015 07:26:55 +0000 Subject: [PATCH] --sha256, --sha384, --sha512 parameters retired. --- ChangeLog | 1 + README.turnserver | 11 ----- examples/etc/turnserver.conf | 12 ----- man/man1/turnadmin.1 | 2 +- man/man1/turnserver.1 | 19 +------- man/man1/turnutils.1 | 2 +- src/apps/relay/dbdrivers/dbd_mongo.c | 2 +- src/apps/relay/dbdrivers/dbd_mysql.c | 2 +- src/apps/relay/dbdrivers/dbd_pgsql.c | 2 +- src/apps/relay/dbdrivers/dbd_redis.c | 2 +- src/apps/relay/dbdrivers/dbd_sqlite.c | 2 +- src/apps/relay/mainrelay.c | 48 +------------------- src/apps/relay/mainrelay.h | 1 - src/apps/relay/netengine.c | 2 +- src/apps/relay/turn_admin_server.c | 32 +------------- src/apps/relay/userdb.c | 51 ++++------------------ src/apps/uclient/mainuclient.c | 2 +- src/apps/uclient/session.h | 1 - src/apps/uclient/startuclient.c | 50 --------------------- src/apps/uclient/uclient.c | 24 +++------- src/client/ns_turn_msg.c | 26 ++--------- src/client/ns_turn_msg.h | 2 +- src/client/ns_turn_msg_defs_new.h | 7 +-- src/server/ns_turn_server.c | 63 +++------------------------ src/server/ns_turn_server.h | 2 - 25 files changed, 40 insertions(+), 328 deletions(-) diff --git a/ChangeLog b/ChangeLog index ab0b777..eca06aa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 4/9/2015 Oleg Moskalenko Version 4.4.5.1 'Ardee West': - dual allocation adjusted according to the new TURN-bis draft; + - options sha256, sha384, sha512 retired as non-standard ones; - C++ fixes; - cosmetic fixes; diff --git a/README.turnserver b/README.turnserver index ebdb9d4..01ac596 100644 --- a/README.turnserver +++ b/README.turnserver @@ -236,17 +236,6 @@ Flags: --no-multicast-peers Disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*). ---sha256 Require SHA256 digest function to be used for the message integrity. - By default, the server uses SHA1 hashes. With this option, the server - requires the stronger SHA256 hashes. The client application must support - SHA256 hash function if this option is used. If the server obtains a message - from the client with a weaker (SHA1) hash function then the server returns - error code 426. - ---sha384 Require SHA384 digest function to be used for the message integrity. - ---sha512 Require SHA512 digest function to be used for the message integrity. - --mobility Mobility with ICE (MICE) specs support. --no-cli Turn OFF the CLI support. By default it is always ON. diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index 2b11db7..3c2d828 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -557,18 +557,6 @@ # #secure-stun -# Require SHA256, or SHA384, or SHA512 digest function to be used for the message -# integrity. By default, the server uses SHA1 (as per TURN standard specs). -# With this option, the server always requires the stronger SHA256, SHA384 or SHA512 -# function. The client application must support SHA256, SHA384 or SHA512 hash function -# if this option is used. If the server obtains -# a message from the client with a weaker (SHA1) hash function then the -# server returns error code 426. -# -#sha256 -#sha384 -#sha512 - # Mobility with ICE (MICE) specs support. # #mobility diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index 249d9b0..9d187dc 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "21 March 2015" "" "" +.TH TURN 1 "10 April 2015" "" "" .SH GENERAL INFORMATION \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 7f4d0c0..f2361d8 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "21 March 2015" "" "" +.TH TURN 1 "10 April 2015" "" "" .SH GENERAL INFORMATION The \fBTURN Server\fP project contains the source code of a TURN server and TURN client @@ -363,23 +363,6 @@ Disallow peers on well\-known broadcast addresses (224.0.0.0 and above, and FFXX:*). .TP .B -\fB\-\-sha256\fP -Require SHA256 digest function to be used for the message integrity. -By default, the server uses SHA1 hashes. With this option, the server -requires the stronger SHA256 hashes. The client application must support -SHA256 hash function if this option is used. If the server obtains a message -from the client with a weaker (SHA1) hash function then the server returns -error code 426. -.TP -.B -\fB\-\-sha384\fP -Require SHA384 digest function to be used for the message integrity. -.TP -.B -\fB\-\-sha512\fP -Require SHA512 digest function to be used for the message integrity. -.TP -.B \fB\-\-mobility\fP Mobility with ICE (MICE) specs support. .TP diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index 2c3e03d..996a8dc 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "21 March 2015" "" "" +.TH TURN 1 "10 April 2015" "" "" .SH GENERAL INFORMATION A set of turnutils_* programs provides some utility functionality to be used diff --git a/src/apps/relay/dbdrivers/dbd_mongo.c b/src/apps/relay/dbdrivers/dbd_mongo.c index 48a3105..abcf0b6 100644 --- a/src/apps/relay/dbdrivers/dbd_mongo.c +++ b/src/apps/relay/dbdrivers/dbd_mongo.c @@ -216,7 +216,7 @@ static int mongo_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) { if (mongoc_cursor_next(cursor, &item)) { if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "hmackey") && BSON_ITER_HOLDS_UTF8(&iter)) { value = bson_iter_utf8(&iter, &length); - size_t sz = get_hmackey_size(turn_params.shatype) * 2; + size_t sz = get_hmackey_size(SHATYPE_DEFAULT) * 2; if(length < sz) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key format: string length=%d (must be %d): user %s\n", (int)length, (int)sz, usname); } else { diff --git a/src/apps/relay/dbdrivers/dbd_mysql.c b/src/apps/relay/dbdrivers/dbd_mysql.c index 73ecfc9..7ca45cc 100644 --- a/src/apps/relay/dbdrivers/dbd_mysql.c +++ b/src/apps/relay/dbdrivers/dbd_mysql.c @@ -315,7 +315,7 @@ static int mysql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) { if(row && row[0]) { unsigned long *lengths = mysql_fetch_lengths(mres); if(lengths) { - size_t sz = get_hmackey_size(turn_params.shatype)*2; + size_t sz = get_hmackey_size(SHATYPE_DEFAULT)*2; if(lengths[0]type != REDIS_REPLY_NIL) TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", rget->type); } else { - size_t sz = get_hmackey_size(turn_params.shatype); + size_t sz = get_hmackey_size(SHATYPE_DEFAULT); if(strlen(rget->str)str,usname); } else if(convert_string_key_to_binary(rget->str, key, sz)<0) { diff --git a/src/apps/relay/dbdrivers/dbd_sqlite.c b/src/apps/relay/dbdrivers/dbd_sqlite.c index 79aca9a..8b928c2 100644 --- a/src/apps/relay/dbdrivers/dbd_sqlite.c +++ b/src/apps/relay/dbdrivers/dbd_sqlite.c @@ -266,7 +266,7 @@ static int sqlite_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) int res = sqlite3_step(st); if (res == SQLITE_ROW) { char *kval = turn_strdup((const char*) sqlite3_column_text(st, 0)); - size_t sz = get_hmackey_size(turn_params.shatype); + size_t sz = get_hmackey_size(SHATYPE_DEFAULT); if (convert_string_key_to_binary(kval, key, sz) < 0) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key: %s, user %s\n", kval, usname); } else { diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index eca7c6a..df26bca 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -117,7 +117,7 @@ LOW_DEFAULT_PORTS_BOUNDARY,HIGH_DEFAULT_PORTS_BOUNDARY,0,0,0,"", /////////////// stop server //////////////// 0, /////////////// MISC PARAMS //////////////// -0,0,0,0,0,SHATYPE_SHA1,':',0,0,TURN_CREDENTIALS_NONE,0,0,0,0,0,0, +0,0,0,0,0,':',0,0,TURN_CREDENTIALS_NONE,0,0,0,0,0,0, ///////////// Users DB ////////////// { (TURN_USERDB_TYPE)0, {"\0"}, {0,NULL, {NULL,0}} }, ///////////// CPUs ////////////////// @@ -562,15 +562,6 @@ static char Usage[] = "Usage: turnserver [options]\n" " /var/tmp/turnserver.pid .\n" " --secure-stun Require authentication of the STUN Binding request.\n" " By default, the clients are allowed anonymous access to the STUN Binding functionality.\n" -" --sha256 Require SHA256 digest function to be used for the message integrity.\n" -" By default, the server SHA1 (as per TURN standard specs).\n" -" With this option, the server\n" -" requires the stronger SHA256 function. The client application must\n" -" support SHA256 hash function if this option is used. If the server obtains\n" -" a message from the client with a weaker (SHA1) hash function then the server\n" -" returns error code 426.\n" -" --sha384 Require SHA384 digest function to be used for the message integrity.\n" -" --sha512 Require SHA512 digest function to be used for the message integrity.\n" " --proc-user User name to run the turnserver process.\n" " After the initialization, the turnserver process\n" " will make an attempt to change the current user ID to that user.\n" @@ -645,10 +636,6 @@ static char AdminUsage[] = "Usage: turnadmin [command] [options]\n" #if !defined(TURN_NO_SQLITE) || !defined(TURN_NO_PQ) || !defined(TURN_NO_MYSQL) || !defined(TURN_NO_MONGO) || !defined(TURN_NO_HIREDIS) " -o, --origin Origin\n" #endif - " -H, --sha256 Use SHA256 digest function to be used for the message integrity.\n" - " By default, the server SHA1 (as per TURN standard specs).\n" - " -Y, --sha384 Use SHA384 digest function to be used for the message integrity.\n" - " -K, --sha512 Use SHA512 digest function to be used for the message integrity.\n" " --max-bps Set value of realm's max-bps parameter.\n" " Setting to zero value means removal of the option.\n" " --total-quota Set value of realm's total-quota parameter.\n" @@ -698,9 +685,6 @@ enum EXTRA_OPTS { SECURE_STUN_OPT, CA_FILE_OPT, DH_FILE_OPT, - SHA256_OPT, - SHA384_OPT, - SHA512_OPT, NO_STUN_OPT, PROC_USER_OPT, PROC_GROUP_OPT, @@ -823,9 +807,6 @@ static const struct myoption long_options[] = { { "secure-stun", optional_argument, NULL, SECURE_STUN_OPT }, { "CA-file", required_argument, NULL, CA_FILE_OPT }, { "dh-file", required_argument, NULL, DH_FILE_OPT }, - { "sha256", optional_argument, NULL, SHA256_OPT }, - { "sha384", optional_argument, NULL, SHA384_OPT }, - { "sha512", optional_argument, NULL, SHA512_OPT }, { "proc-user", required_argument, NULL, PROC_USER_OPT }, { "proc-group", required_argument, NULL, PROC_GROUP_OPT }, { "mobility", optional_argument, NULL, MOBILITY_OPT }, @@ -880,9 +861,6 @@ static const struct myoption admin_long_options[] = { { "user", required_argument, NULL, 'u' }, { "realm", required_argument, NULL, 'r' }, { "password", required_argument, NULL, 'p' }, - { "sha256", no_argument, NULL, 'H' }, - { "sha384", no_argument, NULL, 'Y' }, - { "sha512", no_argument, NULL, 'K' }, { "add-origin", no_argument, NULL, 'O' }, { "del-origin", no_argument, NULL, 'R' }, { "list-origins", required_argument, NULL, 'I' }, @@ -1046,18 +1024,6 @@ static void set_option(int c, char *value) case SECURE_STUN_OPT: turn_params.secure_stun = get_bool_value(value); break; - case SHA256_OPT: - if(get_bool_value(value)) - turn_params.shatype = SHATYPE_SHA256; - break; - case SHA384_OPT: - if(get_bool_value(value)) - turn_params.shatype = SHATYPE_SHA384; - break; - case SHA512_OPT: - if(get_bool_value(value)) - turn_params.shatype = SHATYPE_SHA512; - break; case NO_MULTICAST_PEERS_OPT: turn_params.no_multicast_peers = get_bool_value(value); break; @@ -1592,18 +1558,6 @@ static int adminmain(int argc, char **argv) exit(0); } break; - case 'H': - if(get_bool_value(optarg)) - turn_params.shatype = SHATYPE_SHA256; - break; - case 'Y': - if(get_bool_value(optarg)) - turn_params.shatype = SHATYPE_SHA384; - break; - case 'K': - if(get_bool_value(optarg)) - turn_params.shatype = SHATYPE_SHA512; - break; case 'h': printf("\n%s\n", AdminUsage); exit(0); diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index b2f8033..3f2ecf7 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -291,7 +291,6 @@ typedef struct _turn_params_ { vint secure_stun; int server_relay; int fingerprint; - SHATYPE shatype; char rest_api_separator; vint stale_nonce; vint mobility; diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index 3f71bfb..7daf918 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -1642,7 +1642,7 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int &turn_params.no_multicast_peers, &turn_params.no_loopback_peers, &turn_params.ip_whitelist, &turn_params.ip_blacklist, send_socket_to_relay, - &turn_params.secure_stun, turn_params.shatype, &turn_params.mobility, + &turn_params.secure_stun, &turn_params.mobility, turn_params.server_relay, send_turn_session_info, send_https_socket, diff --git a/src/apps/relay/turn_admin_server.c b/src/apps/relay/turn_admin_server.c index 1e9aeed..d331794 100644 --- a/src/apps/relay/turn_admin_server.c +++ b/src/apps/relay/turn_admin_server.c @@ -691,16 +691,6 @@ static void cli_print_configuration(struct cli_session* cs) cli_print_str(cs,turn_params.cert_file,"Certificate file",0); cli_print_str(cs,turn_params.pkey_file,"Private Key file",0); - if(turn_params.shatype == SHATYPE_SHA256) - cli_print_str(cs,"SHA256","SHA type",0); - else if(turn_params.shatype == SHATYPE_SHA384) - cli_print_str(cs,"SHA384","SHA type",0); - else if(turn_params.shatype == SHATYPE_SHA512) - cli_print_str(cs,"SHA512","SHA type",0); - else - cli_print_str(cs,"SHA1","SHA type",0); - myprintf(cs,"\n"); - cli_print_str_array(cs,turn_params.listener.addrs,turn_params.listener.addrs_number,"Listener addr",0); if(turn_params.listener_ifname[0]) @@ -1962,15 +1952,6 @@ static void write_pc_page(ioa_socket_handle s) https_print_str(sb,turn_params.cert_file,"Certificate file",0); https_print_str(sb,turn_params.pkey_file,"Private Key file",0); - if(turn_params.shatype == SHATYPE_SHA256) - https_print_str(sb,"SHA256","SHA type",0); - else if(turn_params.shatype == SHATYPE_SHA384) - https_print_str(sb,"SHA384","SHA type",0); - else if(turn_params.shatype == SHATYPE_SHA512) - https_print_str(sb,"SHA512","SHA type",0); - else - https_print_str(sb,"SHA1","SHA type",0); - https_print_empty_row(sb,2); https_print_str_array(sb,turn_params.listener.addrs,turn_params.listener.addrs_number,"Listener addr"); @@ -2495,15 +2476,6 @@ static void write_users_page(ioa_socket_handle s, const u08bits *add_user, const str_buffer_append(sb,"\""); str_buffer_append(sb,">

\r\n"); - if(turn_params.shatype == SHATYPE_SHA256) - str_buffer_append(sb,"SHA type: SHA256
\r\n"); - else if(turn_params.shatype == SHATYPE_SHA384) - str_buffer_append(sb,"SHA type: SHA384
\r\n"); - else if(turn_params.shatype == SHATYPE_SHA512) - str_buffer_append(sb,"SHA type: SHA512
\r\n"); - else - str_buffer_append(sb,"SHA type: SHA1
\r\n"); - str_buffer_append(sb,"
"); str_buffer_append(sb,"\r\n"); @@ -3491,9 +3463,9 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh) STRCPY(u,add_user); STRCPY(r,add_realm); STRCPY(p,pwd); - stun_produce_integrity_key_str(u, r, p, key, turn_params.shatype); + stun_produce_integrity_key_str(u, r, p, key, SHATYPE_DEFAULT); size_t i = 0; - size_t sz = get_hmackey_size(turn_params.shatype); + size_t sz = get_hmackey_size(SHATYPE_DEFAULT); int maxsz = (int) (sz * 2) + 1; char *s = skey; for (i = 0; (i < sz) && (maxsz > 2); i++) { diff --git a/src/apps/relay/userdb.c b/src/apps/relay/userdb.c index e846cb0..dd82338 100644 --- a/src/apps/relay/userdb.c +++ b/src/apps/relay/userdb.c @@ -484,29 +484,10 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u switch(dot.enc_block.key_length) { case SHA1SIZEBYTES: - if(turn_params.shatype != SHATYPE_SHA1) { - TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(1): %d\n",(int)dot.enc_block.key_length); - return -1; - } break; case SHA256SIZEBYTES: - if(turn_params.shatype != SHATYPE_SHA256) { - TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(2): %d\n",(int)dot.enc_block.key_length); - return -1; - } - break; case SHA384SIZEBYTES: - if(turn_params.shatype != SHATYPE_SHA384) { - TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length); - return -1; - } - break; case SHA512SIZEBYTES: - if(turn_params.shatype != SHATYPE_SHA512) { - TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length); - return -1; - } - break; default: TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length); return -1; @@ -518,7 +499,7 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u ioa_network_buffer_get_size(nbh), dot.enc_block.mac_key, pwdtmp, - turn_params.shatype,NULL)>0) { + SHATYPE_DEFAULT)>0) { turn_time_t lifetime = (turn_time_t)(dot.enc_block.lifetime); if(lifetime) { @@ -578,25 +559,11 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u int sarlen = stun_attr_get_len(sar); switch(sarlen) { case SHA1SIZEBYTES: - if(turn_params.shatype != SHATYPE_SHA1) - return -1; hmac_len = SHA1SIZEBYTES; break; case SHA256SIZEBYTES: - if(turn_params.shatype != SHATYPE_SHA256) - return -1; - hmac_len = SHA256SIZEBYTES; - break; case SHA384SIZEBYTES: - if(turn_params.shatype != SHATYPE_SHA384) - return -1; - hmac_len = SHA384SIZEBYTES; - break; case SHA512SIZEBYTES: - if(turn_params.shatype != SHATYPE_SHA512) - return -1; - hmac_len = SHA512SIZEBYTES; - break; default: return -1; }; @@ -606,7 +573,7 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u const char* secret = get_secrets_list_elem(&sl,sll); if(secret) { - if(stun_calculate_hmac(usname, strlen((char*)usname), (const u08bits*)secret, strlen(secret), hmac, &hmac_len, turn_params.shatype)>=0) { + if(stun_calculate_hmac(usname, strlen((char*)usname), (const u08bits*)secret, strlen(secret), hmac, &hmac_len, SHATYPE_DEFAULT)>=0) { size_t pwd_length = 0; char *pwd = base64_encode(hmac,hmac_len,&pwd_length); @@ -614,14 +581,14 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u if(pwd_length<1) { turn_free(pwd,strlen(pwd)+1); } else { - if(stun_produce_integrity_key_str((u08bits*)usname, realm, (u08bits*)pwd, key, turn_params.shatype)>=0) { + if(stun_produce_integrity_key_str((u08bits*)usname, realm, (u08bits*)pwd, key, SHATYPE_DEFAULT)>=0) { if(stun_check_message_integrity_by_key_str(TURN_CREDENTIALS_LONG_TERM, ioa_network_buffer_data(nbh), ioa_network_buffer_get_size(nbh), key, pwdtmp, - turn_params.shatype,NULL)>0) { + SHATYPE_DEFAULT)>0) { ret = 0; } @@ -650,7 +617,7 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u ur_string_map_unlock(turn_params.default_users_db.ram_db.static_accounts); if(ret==0) { - size_t sz = get_hmackey_size(turn_params.shatype); + size_t sz = get_hmackey_size(SHATYPE_DEFAULT); ns_bcopy(ukey,key,sz); return 0; } @@ -762,7 +729,7 @@ int add_static_user_account(char *user) hmackey_t *key = (hmackey_t*)turn_malloc(sizeof(hmackey_t)); if(strstr(s,"0x")==s) { char *keysource = s + 2; - size_t sz = get_hmackey_size(turn_params.shatype); + size_t sz = get_hmackey_size(SHATYPE_DEFAULT); if(strlen(keysource)options.name, (u08bits*)s, *key, turn_params.shatype); + stun_produce_integrity_key_str((u08bits*)usname, (u08bits*)get_realm(NULL)->options.name, (u08bits*)s, *key, SHATYPE_DEFAULT); } { ur_string_map_lock(turn_params.default_users_db.ram_db.static_accounts); @@ -973,9 +940,9 @@ int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08b must_set_admin_pwd(pwd); { - stun_produce_integrity_key_str(user, realm, pwd, key, turn_params.shatype); + stun_produce_integrity_key_str(user, realm, pwd, key, SHATYPE_DEFAULT); size_t i = 0; - size_t sz = get_hmackey_size(turn_params.shatype); + size_t sz = get_hmackey_size(SHATYPE_DEFAULT); int maxsz = (int) (sz * 2) + 1; char *s = skey; for (i = 0; (i < sz) && (maxsz > 2); i++) { diff --git a/src/apps/uclient/mainuclient.c b/src/apps/uclient/mainuclient.c index d7ef355..53f45f9 100644 --- a/src/apps/uclient/mainuclient.c +++ b/src/apps/uclient/mainuclient.c @@ -84,7 +84,7 @@ int negative_protocol_test = 0; int dos = 0; int random_disconnect = 0; -SHATYPE shatype = SHATYPE_SHA1; +SHATYPE shatype = SHATYPE_DEFAULT; int mobility = 0; diff --git a/src/apps/uclient/session.h b/src/apps/uclient/session.h index a414986..6e394c8 100644 --- a/src/apps/uclient/session.h +++ b/src/apps/uclient/session.h @@ -91,7 +91,6 @@ typedef struct { app_tcp_conn_info **tcp_conn; size_t tcp_conn_number; int is_peer; - SHATYPE shatype; char s_mobile_id[33]; } app_ur_conn_info; diff --git a/src/apps/uclient/startuclient.c b/src/apps/uclient/startuclient.c index 60bdaa2..74d6a97 100644 --- a/src/apps/uclient/startuclient.c +++ b/src/apps/uclient/startuclient.c @@ -526,16 +526,6 @@ static int clnet_allocate(int verbose, &err_code,err_msg,sizeof(err_msg), clnet_info->realm,clnet_info->nonce, clnet_info->server_name, &(clnet_info->oauth))) { - if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) { - clnet_info->shatype = SHATYPE_SHA256; - recalculate_restapi_hmac(clnet_info->shatype); - } else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) { - clnet_info->shatype = SHATYPE_SHA384; - recalculate_restapi_hmac(clnet_info->shatype); - } else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA384)) { - clnet_info->shatype = SHATYPE_SHA512; - recalculate_restapi_hmac(clnet_info->shatype); - } goto beg_allocate; } else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) { @@ -730,16 +720,6 @@ static int clnet_allocate(int verbose, &err_code,err_msg,sizeof(err_msg), clnet_info->realm,clnet_info->nonce, clnet_info->server_name, &(clnet_info->oauth))) { - if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) { - clnet_info->shatype = SHATYPE_SHA256; - recalculate_restapi_hmac(clnet_info->shatype); - } else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) { - clnet_info->shatype = SHATYPE_SHA384; - recalculate_restapi_hmac(clnet_info->shatype); - } else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA384)) { - clnet_info->shatype = SHATYPE_SHA512; - recalculate_restapi_hmac(clnet_info->shatype); - } goto beg_refresh; } else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) { refresh_received = 1; @@ -834,16 +814,6 @@ static int turn_channel_bind(int verbose, uint16_t *chn, &err_code,err_msg,sizeof(err_msg), clnet_info->realm,clnet_info->nonce, clnet_info->server_name, &(clnet_info->oauth))) { - if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) { - clnet_info->shatype = SHATYPE_SHA256; - recalculate_restapi_hmac(clnet_info->shatype); - } else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) { - clnet_info->shatype = SHATYPE_SHA384; - recalculate_restapi_hmac(clnet_info->shatype); - } else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA384)) { - clnet_info->shatype = SHATYPE_SHA512; - recalculate_restapi_hmac(clnet_info->shatype); - } goto beg_bind; } else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) { cb_received = 1; @@ -948,16 +918,6 @@ static int turn_create_permission(int verbose, app_ur_conn_info *clnet_info, &err_code,err_msg,sizeof(err_msg), clnet_info->realm,clnet_info->nonce, clnet_info->server_name, &(clnet_info->oauth))) { - if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) { - clnet_info->shatype = SHATYPE_SHA256; - recalculate_restapi_hmac(clnet_info->shatype); - } else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) { - clnet_info->shatype = SHATYPE_SHA384; - recalculate_restapi_hmac(clnet_info->shatype); - } else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA384)) { - clnet_info->shatype = SHATYPE_SHA512; - recalculate_restapi_hmac(clnet_info->shatype); - } goto beg_cp; } else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) { cp_received = 1; @@ -1533,16 +1493,6 @@ static int turn_tcp_connection_bind(int verbose, app_ur_conn_info *clnet_info, a &err_code,err_msg,sizeof(err_msg), clnet_info->realm,clnet_info->nonce, clnet_info->server_name, &(clnet_info->oauth))) { - if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) { - clnet_info->shatype = SHATYPE_SHA256; - recalculate_restapi_hmac(clnet_info->shatype); - } else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) { - clnet_info->shatype = SHATYPE_SHA384; - recalculate_restapi_hmac(clnet_info->shatype); - } else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA384)) { - clnet_info->shatype = SHATYPE_SHA512; - recalculate_restapi_hmac(clnet_info->shatype); - } goto beg_cb; } else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) { cb_received = 1; diff --git a/src/apps/uclient/uclient.c b/src/apps/uclient/uclient.c index e55a6b3..6a32fd0 100644 --- a/src/apps/uclient/uclient.c +++ b/src/apps/uclient/uclient.c @@ -119,7 +119,6 @@ static app_ur_session* init_app_session(app_ur_session *ss) { if(ss) { ns_bzero(ss,sizeof(app_ur_session)); ss->pinfo.fd=-1; - ss->pinfo.shatype = shatype; } return ss; } @@ -751,17 +750,6 @@ static int client_read(app_ur_session *elem, int is_tcp_data, app_tcp_conn_info &err_code,err_msg,sizeof(err_msg), clnet_info->realm,clnet_info->nonce, clnet_info->server_name, &(clnet_info->oauth))) { - if(err_code == SHA_TOO_WEAK_ERROR_CODE && (elem->pinfo.shatype == SHATYPE_SHA1)) { - elem->pinfo.shatype = SHATYPE_SHA256; - recalculate_restapi_hmac(elem->pinfo.shatype); - } else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (elem->pinfo.shatype == SHATYPE_SHA256)) { - elem->pinfo.shatype = SHATYPE_SHA384; - recalculate_restapi_hmac(elem->pinfo.shatype); - } else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (elem->pinfo.shatype == SHATYPE_SHA384)) { - elem->pinfo.shatype = SHATYPE_SHA512; - recalculate_restapi_hmac(elem->pinfo.shatype); - } - if(is_TCP_relay() && (stun_get_method(&(elem->in_buffer)) == STUN_METHOD_CONNECT)) { turn_tcp_connect(clnet_verbose, &(elem->pinfo), &(elem->pinfo.peer_addr)); } else if(stun_get_method(&(elem->in_buffer)) == STUN_METHOD_REFRESH) { @@ -1008,7 +996,6 @@ static int start_client(const char *remote_address, int port, app_ur_conn_info clnet_info_probe; /* for load balancing probe */ ns_bzero(&clnet_info_probe,sizeof(clnet_info_probe)); clnet_info_probe.fd = -1; - clnet_info_probe.shatype = shatype; app_ur_conn_info *clnet_info=&(ss->pinfo); app_ur_conn_info *clnet_info_rtcp=NULL; @@ -1103,7 +1090,6 @@ static int start_c2c(const char *remote_address, int port, app_ur_conn_info clnet_info_probe; /* for load balancing probe */ ns_bzero(&clnet_info_probe,sizeof(clnet_info_probe)); clnet_info_probe.fd = -1; - clnet_info_probe.shatype = shatype; app_ur_conn_info *clnet_info1=&(ss1->pinfo); app_ur_conn_info *clnet_info1_rtcp=NULL; @@ -1652,7 +1638,7 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message) } if(stun_attr_add_integrity_by_key_str(message->buf, (size_t*)&(message->len), (u08bits*)okey_array[cok].kid, - clnet_info->realm, clnet_info->key, clnet_info->nonce, clnet_info->shatype)<0) { + clnet_info->realm, clnet_info->key, clnet_info->nonce, shatype)<0) { TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n"); return -1; } @@ -1661,14 +1647,14 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message) { password_t pwd; if(stun_check_message_integrity_by_key_str(get_turn_credentials_type(), - message->buf, (size_t)(message->len), clnet_info->key, pwd, clnet_info->shatype, NULL)<1) { + message->buf, (size_t)(message->len), clnet_info->key, pwd, shatype)<1) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR," Self-test of integrity does not comple correctly !\n"); return -1; } } } else { if(stun_attr_add_integrity_by_user_str(message->buf, (size_t*)&(message->len), g_uname, - clnet_info->realm, g_upwd, clnet_info->nonce, clnet_info->shatype)<0) { + clnet_info->realm, g_upwd, clnet_info->nonce, shatype)<0) { TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n"); return -1; } @@ -1680,14 +1666,14 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message) int check_integrity(app_ur_conn_info *clnet_info, stun_buffer *message) { - SHATYPE sht = clnet_info->shatype; + SHATYPE sht = shatype; if(oauth && clnet_info->oauth) { password_t pwd; return stun_check_message_integrity_by_key_str(get_turn_credentials_type(), - message->buf, (size_t)(message->len), clnet_info->key, pwd, sht, NULL); + message->buf, (size_t)(message->len), clnet_info->key, pwd, sht); } else { diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index c562682..c90dd4f 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -467,7 +467,7 @@ int stun_is_challenge_response_str(const u08bits* buf, size_t len, int *err_code { int ret = stun_is_error_response_str(buf, len, err_code, err_msg, err_msg_size); - if(ret && (((*err_code) == 401) || ((*err_code) == 438) || ((*err_code) == SHA_TOO_WEAK_ERROR_CODE))) { + if(ret && (((*err_code) == 401) || ((*err_code) == 438) )) { stun_attr_ref sar = stun_attr_get_first_by_type_str(buf,len,STUN_ATTRIBUTE_REALM); if(sar) { @@ -1801,7 +1801,7 @@ void print_hmac(const char *name, const void *s, size_t len) /* * Return -1 if failure, 0 if the integrity is not correct, 1 if OK */ -int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *buf, size_t len, hmackey_t key, password_t pwd, SHATYPE shatype, int *too_weak) +int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *buf, size_t len, hmackey_t key, password_t pwd, SHATYPE shatype) { int res = 0; u08bits new_hmac[MAXSHASIZE]; @@ -1817,41 +1817,21 @@ int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *bu switch(sarlen) { case SHA256SIZEBYTES: shasize = SHA256SIZEBYTES; - if(shatype > SHATYPE_SHA256) { - if(too_weak) - *too_weak = 1; - return -1; - } if(shatype != SHATYPE_SHA256) return -1; break; case SHA384SIZEBYTES: shasize = SHA384SIZEBYTES; - if(shatype > SHATYPE_SHA384) { - if(too_weak) - *too_weak = 1; - return -1; - } if(shatype != SHATYPE_SHA384) return -1; break; case SHA512SIZEBYTES: shasize = SHA512SIZEBYTES; - if(shatype > SHATYPE_SHA512) { - if(too_weak) - *too_weak = 1; - return -1; - } if(shatype != SHATYPE_SHA512) return -1; break; case SHA1SIZEBYTES: shasize = SHA1SIZEBYTES; - if(shatype > SHATYPE_SHA1) { - if(too_weak) - *too_weak = 1; - return -1; - } if(shatype != SHATYPE_SHA1) return -1; break; @@ -1903,7 +1883,7 @@ int stun_check_message_integrity_str(turn_credential_type ct, u08bits *buf, size else if (stun_produce_integrity_key_str(uname, realm, upwd, key, shatype) < 0) return -1; - return stun_check_message_integrity_by_key_str(ct, buf, len, key, pwd, shatype, NULL); + return stun_check_message_integrity_by_key_str(ct, buf, len, key, pwd, shatype); } /* RFC 5780 */ diff --git a/src/client/ns_turn_msg.h b/src/client/ns_turn_msg.h index 79494ae..17d3485 100644 --- a/src/client/ns_turn_msg.h +++ b/src/client/ns_turn_msg.h @@ -181,7 +181,7 @@ void print_bin_func(const char *name, size_t len, const void *s, const char *fun /* * Return -1 if failure, 0 if the integrity is not correct, 1 if OK */ -int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *buf, size_t len, hmackey_t key, password_t pwd, SHATYPE shatype, int *too_weak); +int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *buf, size_t len, hmackey_t key, password_t pwd, SHATYPE shatype); int stun_check_message_integrity_str(turn_credential_type ct, u08bits *buf, size_t len, u08bits *uname, u08bits *realm, u08bits *upwd, SHATYPE shatype); int stun_attr_add_integrity_str(turn_credential_type ct, u08bits *buf, size_t *len, hmackey_t key, password_t pwd, SHATYPE shatype); int stun_attr_add_integrity_by_key_str(u08bits *buf, size_t *len, u08bits *uname, u08bits *realm, hmackey_t key, u08bits *nonce, SHATYPE shatype); diff --git a/src/client/ns_turn_msg_defs_new.h b/src/client/ns_turn_msg_defs_new.h index 9e5d2cf..81bb51a 100644 --- a/src/client/ns_turn_msg_defs_new.h +++ b/src/client/ns_turn_msg_defs_new.h @@ -44,7 +44,7 @@ /* <<== Bandwidth */ -/* SHA AGILITY ==>> */ +/* SHA ==>> */ #define SHA1SIZEBYTES (20) #define SHA256SIZEBYTES (32) @@ -66,10 +66,7 @@ typedef enum _SHATYPE SHATYPE; #define shatype_name(sht) ((sht == SHATYPE_SHA1) ? "SHA1" : ((sht == SHATYPE_SHA256) ? "SHA256" : ((sht == SHATYPE_SHA384) ? "SHA384" : "SHA512"))) -#define SHA_TOO_WEAK_ERROR_CODE (426) -#define SHA_TOO_WEAK_ERROR_REASON ((const u08bits*)("credentials too weak")) - -/* <<== SHA AGILITY */ +/* <<== SHA */ /* OAUTH TOKEN ENC ALG ==> */ diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c index ab068e8..3cd62ca 100644 --- a/src/server/ns_turn_server.c +++ b/src/server/ns_turn_server.c @@ -1717,7 +1717,7 @@ static int handle_turn_refresh(turn_turnserver *server, } if(message_integrity) { - stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,server->shatype); + stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,SHATYPE_DEFAULT); ioa_network_buffer_set_size(nbh,len); } @@ -1980,7 +1980,7 @@ static void tcp_peer_connection_completed_callback(int success, void *arg) ioa_network_buffer_set_size(nbh,len); if(need_stun_authentication(server, ss)) { - stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,server->shatype); + stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,SHATYPE_DEFAULT); ioa_network_buffer_set_size(nbh,len); } @@ -2462,7 +2462,7 @@ int turnserver_accept_tcp_client_data_connection(turn_turnserver *server, tcp_co if(message_integrity && ss) { size_t len = ioa_network_buffer_get_size(nbh); - stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,server->shatype); + stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,SHATYPE_DEFAULT); ioa_network_buffer_set_size(nbh,len); } @@ -3280,49 +3280,10 @@ static int check_stun_auth(turn_turnserver *server, switch(sarlen) { case SHA1SIZEBYTES: - if(server->shatype > SHATYPE_SHA1) { - *err_code = SHA_TOO_WEAK_ERROR_CODE; - *reason = SHA_TOO_WEAK_ERROR_REASON; - return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); - } - if(server->shatype != SHATYPE_SHA1) { - *err_code = 401; - return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); - } break; case SHA256SIZEBYTES: - if(server->shatype > SHATYPE_SHA256) { - *err_code = SHA_TOO_WEAK_ERROR_CODE; - *reason = SHA_TOO_WEAK_ERROR_REASON; - return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); - } - if(server->shatype != SHATYPE_SHA256) { - *err_code = 401; - return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); - } - break; case SHA384SIZEBYTES: - if(server->shatype > SHATYPE_SHA384) { - *err_code = SHA_TOO_WEAK_ERROR_CODE; - *reason = SHA_TOO_WEAK_ERROR_REASON; - return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); - } - if(server->shatype != SHATYPE_SHA384) { - *err_code = 401; - return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); - } - break; case SHA512SIZEBYTES: - if(server->shatype > SHATYPE_SHA512) { - *err_code = SHA_TOO_WEAK_ERROR_CODE; - *reason = SHA_TOO_WEAK_ERROR_REASON; - return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); - } - if(server->shatype != SHATYPE_SHA512) { - *err_code = 401; - return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); - } - break; default: *err_code = 401; return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); @@ -3446,22 +3407,11 @@ static int check_stun_auth(turn_turnserver *server, } /* Check integrity */ - int too_weak = 0; if(stun_check_message_integrity_by_key_str(server->ct,ioa_network_buffer_data(in_buffer->nbh), ioa_network_buffer_get_size(in_buffer->nbh), ss->hmackey, ss->pwd, - server->shatype, - &too_weak)<1) { - - if(too_weak) { - TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, - "%s: user %s credentials are incorrect: SHA function is too weak\n", - __FUNCTION__, (char*)usname); - *err_code = SHA_TOO_WEAK_ERROR_CODE; - *reason = SHA_TOO_WEAK_ERROR_REASON; - return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); - } + SHATYPE_DEFAULT)<1) { if(can_resume) { (server->userkeycb)(server->id, server->ct, server->oauth, &(ss->oauth), usname, realm, resume_processing_after_username_check, in_buffer, ss->id, postpone_reply); @@ -3907,7 +3857,7 @@ static int handle_turn_command(turn_turnserver *server, ts_ur_super_session *ss, if(message_integrity) { size_t len = ioa_network_buffer_get_size(nbh); - stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,server->shatype); + stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,SHATYPE_DEFAULT); ioa_network_buffer_set_size(nbh,len); } @@ -4840,7 +4790,7 @@ void init_turn_server(turn_turnserver* server, vintp no_multicast_peers, vintp no_loopback_peers, ip_range_list_t* ip_whitelist, ip_range_list_t* ip_blacklist, send_socket_to_relay_cb send_socket_to_relay, - vintp secure_stun, SHATYPE shatype, vintp mobility, int server_relay, + vintp secure_stun, vintp mobility, int server_relay, send_turn_session_info_cb send_turn_session_info, send_https_socket_cb send_https_socket, allocate_bps_cb allocate_bps_func, @@ -4864,7 +4814,6 @@ void init_turn_server(turn_turnserver* server, server->no_multicast_peers = no_multicast_peers; server->no_loopback_peers = no_loopback_peers; server->secure_stun = secure_stun; - server->shatype = shatype; server->mobility = mobility; server->server_relay = server_relay; server->send_turn_session_info = send_turn_session_info; diff --git a/src/server/ns_turn_server.h b/src/server/ns_turn_server.h index 1a76739..e976a07 100644 --- a/src/server/ns_turn_server.h +++ b/src/server/ns_turn_server.h @@ -118,7 +118,6 @@ struct _turn_turnserver { vintp stun_only; vintp no_stun; vintp secure_stun; - SHATYPE shatype; turn_credential_type ct; get_alt_addr_cb alt_addr_cb; send_message_cb sm_cb; @@ -197,7 +196,6 @@ void init_turn_server(turn_turnserver* server, ip_range_list_t* ip_blacklist, send_socket_to_relay_cb send_socket_to_relay, vintp secure_stun, - SHATYPE shatype, vintp mobility, int server_relay, send_turn_session_info_cb send_turn_session_info,